This transformation can be improved upon in several different ways,
depending on how much performance and code size you’re willing to give up.
In a native code environment such as IA-32 assembly language, it might be
beneficial to add some kind of disassembler-confusion macros such as the ones
described earlier in this chapter. If made reasonably polymorphic, such macros
would not be trivial to remove, and would really complicate the reversing
process for this kind of a function. That’s because these macros would prevent
reversers from being able to generate a full listing of the obfuscated at any
given moment. Reversing a table interpretation function such as the one in
Listing 10.3 without having a full view of the entire function is undoubtedly an
unpleasant reversing task.
Other than the confusion macros, another powerful enhancement for the
obfuscation of the preceding function would be to add an additional lookup
table, as is demonstrated in Listing 10.4.
00401040 sub esp,28h
00401043 mov edx,dword ptr [esp+2Ch]
00401047 push ebx
00401048 push ebp
00401049 mov ebp,dword ptr [esp+38h]
0040104D push esi
0040104E push edi
0040104F mov edi,dword ptr [esp+10h]
00401053 xor eax,eax
00401055 xor ebx,ebx
00401057 mov dword ptr [esp+14h],1
0040105F mov dword ptr [esp+18h],8
00401067 mov dword ptr [esp+1Ch],4
0040106F mov dword ptr [esp+20h],6
00401077 mov dword ptr [esp+24h],2
0040107F mov dword ptr [esp+28h],9
00401087 mov dword ptr [esp+2Ch],3
0040108F mov dword ptr [esp+30h],7
00401097 mov dword ptr [esp+34h],5
0040109F lea ecx,[esp+14h]
004010A3 mov esi,dword ptr [ecx]
004010A5 add esi,0FFFFFFFFh
004010A8 cmp esi,8
004010AB ja 004010A3
004010AD jmp dword ptr [esi*4+401100h]
004010B4 xor dword ptr [edx],ebx
004010B6 add ecx,18h
004010B9 jmp 004010A3
004010BB mov edi,dword ptr [edx]
004010BD add ecx,8
004010C0 jmp 004010A3Listing 10.4 The data-processing function from Listing 10.2 transformed using an array-
based version of the table interpretation obfuscation method. (continued)
Antireversing Techniques 351